Splunk Search

Automatic lookups and rangemap

bowesmana
SplunkTrust
SplunkTrust

I think I am going mad...

I set up a lookup table (points.csv) containing

range,Place,Points
2013,1,20
2013,2,15
2013,3,11
2013,4,8
2013,5,6
2013,6,5
2013,7,4
2013,8,3
2013,9,2
2013,0,1
2004,1,5
2004,2,4
2004,3,3
2004,4,2
2004,0,1
1995,1,5
1995,2,4
1995,3,3
1995,4,2
1995,0,1

I created a lookup in transforms.conf

[placepoints]
filename = points.csv

I created an automatic lookup

[bbr*]
LOOKUP-placepoints = placepoints Place range OUTPUTNEW Points AS PlacePoints

This search

index="bbr" sourcetype="bbr*" source="BBR*csv" host="Atacama" Event=10km Year=2016 Month=7
| rangemap field=Year 1995=0-2003 2004=2004-2012 2013=2013-9999 
| table Name, Place, Points, PlacePoints 
| sort - Points

I am pretty sure when I created this the first time it worked, however, I deleted the lookup and then have tried various incarnations of new attempts to get it to work again without luck and now I doubt I ever did get it to work,

Putting the lookup in manually as in

index="bbr" sourcetype="bbr*" source="BBR*csv" host="Atacama" Event=10km Year=2016 Month=7
| rangemap field=Year 1995=0-2003 2004=2004-2012 2013=2013-9999 
| lookup placepoints Place range OUTPUTNEW Points as PlacePoints
| table Name, Place, Points, PlacePoints 
| sort - Points

works fine and I get PlacePoints (or any other name I use).

So I started to wonder if it ever worked and the order or rangemap and automatic lookups. Is the range field available when the automatic lookup is run, i.e. does it run before the rangemap process or after it.

0 Karma
1 Solution

lguinn2
Legend

The automatic lookup will occur prior to the rangemap.

However, you cannot use wildcards in props.conf for sourcetype stanzas. So I don't think your automatic lookup is happening.
Second, automatic lookups happen as part of the base search processing.
Just run the search:

index="bbr" sourcetype="bbr*" source="BBR*csv" host="Atacama" Event=10km Year=2016 Month=7

Both fields Place and range must exist in the search results, or else the automatic lookup will not return any results. Even after you fix the name of the stanza to match the sourcetype.

View solution in original post

0 Karma

lguinn2
Legend

The automatic lookup will occur prior to the rangemap.

However, you cannot use wildcards in props.conf for sourcetype stanzas. So I don't think your automatic lookup is happening.
Second, automatic lookups happen as part of the base search processing.
Just run the search:

index="bbr" sourcetype="bbr*" source="BBR*csv" host="Atacama" Event=10km Year=2016 Month=7

Both fields Place and range must exist in the search results, or else the automatic lookup will not return any results. Even after you fix the name of the stanza to match the sourcetype.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Thanks, I had got to the wildcards in sourcetype stanzas issue, so fixed that and you are right, it still did not work. What you say makes sense, but I just can't figure out why I believe it worked when I first created the automatic lookup - but that's now lost in the depths of time, so I'll go with your answer and work on the basis of the manual lookup.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...